The NextCry strain of ransomware has made the headlines for infiltrating some improperly configured NextCloud servers, leaving many organizations asking, “Is NextCloud still secure to store my critical data?” The answer to that question is unequivocally, “yes.”
Initial speculation around NextCry suspected that the ransomware encrypted users’ data through an unpatched Windows client machine, but it was later found out that it was due to the CVE-2019-11043 vulnerability affecting some configurations of Nginx and PHP-FPM. It’s important to note that this is not a NextCloud vulnerability, but rather it was discovered in the PHP upstream packages.
Importance of Patching NextCloud Servers
Here was NextCloud’s official announcement on Oct 24, 2019 warning NextCloud administrators to patch their systems up to the latest PHP version — weeks before the first server was reported compromised by NextCry in late November. If you’re storing any data that you care about at all in NextCloud, it’s crucial to stay on top of updates not only to NextCloud but also to the server itself. Vulnerabilities are regularly discovered in Nginx, PHP, and the kernel. Kernel vulnerabilities such as Meltdown, Spectre, and Foreshadow can particularly impact you if you’re hosting NextCloud in a virtualized “cloud” environment, where the physical hardware is shared with other clients. A rogue customer on the same host could theoretically use speculative execution attacks to exfiltrate data from your server. Fortunately, all of the major cloud providers have been on top of applying mitigations released by Intel and AMD to protect their customers.
Using unattended/automatic patching tools such as yum-cron or apt-cron can help keep your server up to date, but it is still helpful to SSH into the server regularly, to fully apply any patches that require a reboot. If your organization has a dedicated sysadmin, they might prefer to schedule a maintenance window to manually update the packages and restart any services. Companies such as Canonical and KernelCare provide “live patching” technology that can hotfix the running kernel without a reboot — these services are available as a paid subscription.
Impact of the Nginx and PHP-FPM Vulnerability
Any Nginx web servers configured with a rewrite directive containing the
token, that also proxies requests to PHP-FPM is potentially at risk. Many web applications other than NextCloud are deployed with this architectural pattern, meaning you should secure any Nginx server serving PHP apps by updating to PHP 7.2.24 or 7.3.11 or higher and reviewing your Nginx configuration.
Only 2 out of 300,000 NextCloud servers worldwide were held to ransom by NextCry.
According to the official maintainers of NextCloud, only 2 out of 300,000 NextCloud servers worldwide were held to ransom by NextCry. Although that is still 2 too many servers being hacked, the vast majority of NextCloud administrators had ample notice to patch their systems in time. Since the exploitation of the CVE relies on appending a shell command to the requested URI to elevate privileges on the targeted machine, a web application firewall (WAF) such as CloudFlare or Sucuri can be part of a “defense in depth” strategy to reduce the risk of a successful exploitation of any future zero-day vulnerabilities. A WAF protects by scanning for suspicious URL patterns that might be used to exploit a vulnerability, and blocking those requests before they can reach your server.
The NextCry ransomware takes advantage of the CVE to load a Python script onto the compromised servers, which identifies the NextCloud data directory, purges the previous file versions, and encrypts all the users’ data with AES-256 encryption using an RSA-2048 encrypted password — known only to the attacker. The file names are also encoded with Base64, making it impossible to decipher which encrypted file corresponds to its unencrypted version.
Paying the ransom is usually ill-advised, especially because it doesn’t guarantee that the attackers will cough up the decryption key. It also encourages the proliferation of similar attacks against your organization and other users. The cybercriminals behind NextCry demanded 0.025 BTC from their victims, which was roughly $200 at the time of the attack. Although it might seem like a relatively small amount, ransomware makers are known to hit up the same victims for progressively larger ransoms — especially those who pay the ransom but have gaping security holes remaining in their IT infrastructure.
Defending Against Ransomware with NextCloud
NextCloud can be configured behind a WAF to protect against vulnerabilities similar to NextCry. Although patching your system is still essential, it provides an additional layer of defense against bad actors such as the cybercriminals who are scanning for vulnerable Nginx and PHP-FPM servers to automatically exploit them. Organizations that require particularly high security might choose to make their NextCloud instance only accessible after logging onto a corporate VPN, such as OpenVPN. By hiding your NextCloud instance away from the public Internet, a would-be attacker would first need to steal a user’s VPN credentials before they could even reach your NextCloud server.
NextCloud has a Ransomware Protection app which can be installed on any instance to stymie suspicious upload activity from any client, but it isn’t foolproof. The Ransomware Protection app wouldn’t have protected the NextCry victims against their plight, because NextCry encrypted everything from the server-side — not from the sync client.
Be proactive about data protection and contact the Autoize team for a complete security checkup of your NextCloud instance — in confidence. Here are some aspects of your installation which we would review:
- SSH daemon configuration (No root access, SSH key authentication only)
- Firewall settings (Limit open ports to essential ports)
- MySQL bind interface, grants, removal of default databases and users
- Nginx server configuration (SSL ciphers, security headers, redirects, etc.)
- Permissions, ownership of SSL certificate, chain, and private key
- Web server and PHP version to ensure security against Nextcry vulnerability
- Verify bind interface of Redis and/or Memcached memory caching server(s)
- Permissions, ownership, and location of NextCloud data directory
- Brute force protection against failed login attempts
- Telemetry switched off, with air-gapped updates by .tar file (optional)
- Set up automatic patching with yum-cron or apt-cron (optional)